Risk Management is a key term we keep discussing every now and then when we talk about information security. It often is the closing aspect of the identified risks.
Risk is the probability of a vulnerability being exploited by a threat and the resulting business impact
Common elements of a Risk Management framework include:
- Identification of assets (Information assets and other related assets) : During this process all the assets should be identified. It should be ensured that no critical assets are left out from this process.
- Valuation of assets: Valuing the assets based on its importance towards business need to be performed as the next step. This provides insights about how much impact these assets can have on the business and plays a key part in deriving the risk status
- Threat & Vulnerability identification: Potential vulnerabilities and threats related to the assets need to be identified as part of the risk assessment. Some schools of thought claims that the threat need to be assessed before the vulnerability assessment and some others claim it the other way. You may choose to have them in the order you are comfortable.
Vulnerability . Weakness in a mechanism that can threaten the confidentiality, integrity or availability of an asset. It is also considered as lack of countermeasure
Threats . Someone or something uncovering a vulnerability and exploiting it
- Once you have the above information, then the process of Risk Assessment requires information on the probability of the threat exploiting the vulnerability.
- The impact to the business from the risk also should be considered before arriving at a conclusion.
- Risk value: Based on the above information the IT Risks shall be assessed in the context of business and assign a value to it. In a qualitative risk assessment, the values can be High, Medium , Low or something similar.
To have an effective risk management program, the identified risks need to be prioritized based on the risk values. It is important to understand that all risks cannot be eliminated or mitigated within a small timeframe. Widely accepted Risk Management processes are:
Risk Mitigation or Risk reduction: Implement controls and reduce the risk by reducing the impact and/or probability eventually reducing the total risk value.
Risk Transfer: Transfer the risk to a third party; a typical approach is to purchase insurance
Risk Avoidance: Avoid the activity or asset which brings in the risk.
Risk Acceptance: Do nothing and accept the risk. two reasons typically heard of risk acceptance are (1) Business can absorb the impact in case of the said risk materialize (2) The cost of risk reduction is higher than the cost of asset
- The above diagram represents the Risk Management process in detail. Leave your questions in the comments section